BANGALORE, Karnataka—It’s more than a year since the Srikrishna Committee submitted its report on data protection, along with a draft personal data protection bill, but India is seemingly no closer to an actual law on the matter. However, the Reserve Bank of India (RBI) has already mandated data localisation norms, which met with a lot of resistance and criticism.
HuffPost India spoke to Barry Cook, Privacy and Group Data Protection Officer, VFS Global, who also spoke about data localisation rules, and sounded a note of caution, adding that the cost to industry is likely to be high.
VFS Global is active in 147 different countries to facilitate visa applications, handling upwards of 20 million applications per year. Of this, around 5 million applications are from India alone, so Cook—part of whose role is to ensure that the company is compliant with data regulations around the world—has paid a lot of attention to the norms that are being followed globally, and talked about the importance of keeping people’s information private, while also allowing industry to easily engage with data.
“My goal, primarily, is to ensure compliance when VFS handles personal data, and that can mean personal data of the visa applicants, or internal employees and so on,” Cook said. “Primarily that’s my goal, to ensure that the company maintains compliance.”
“Now, as we operate across 147 countries, [it] wouldn’t be a very manageable model to have individual compliance modules models for each of those countries,” he explained. “Our corporate model our privacy program, is based on the current highest level of data protection, globally, which is the European General Data Protection Regulation. It’s not because it’s better than any other or because it’s European. It’s currently the highest standard.”
“Now if a new data protection law seems to be a higher standard, then we will look at that and adopt that standard,” Cook added. “The thinking behind that is that operating across all those countries — 147 countries — it’s very difficult for us to operationalize a privacy program. But by adopting the high standard I know automatically, I’m going to be compliant in each of those countries.”
This isn’t a one size fits all solution though, and variations are required in different countries, but the goal, Cook said, is that a visa applicant in any country should have the same level of data protection, even in countries where there is no data protection law.
This also extends to the use of data by VFS Global, which, according to its contracts, cannot be monetised. “Actually we have quite strict controls on how we can use that data,” Cook said. “We are not allowed to use data that is used in the visa application process for secondary use, so we can’t monetize that data. And there’s a huge amount of data there which could be monetized but we’re not permitted by the contracts that we have to actually do that.”
Nationalism and data localisation
Similarly, VFS Global would be able to comply with data localisation if required, Cook said, but added that as of now, it didn’t look like this would be required.
“If there is a requirement to localize data, then we will need to consider, but again, it’s not clear on the scope of what localization is going to be,” he said. “Industry chatter on that at the moment is yes, it may just be health data, financial services, and it very much depends on what the government rolls out.”
A number of people have criticised data localisation requirements. In an article for HuffPost India, Eben Moglen, Professor of Law and Legal History at Columbia Law School, and Mishi Choudhary, a technology lawyer and managing partner at Mishi Choudhary & Associates, wrote that “the provision related to data localisation will end up increasing the costs for any new company by depriving them the benefits of ‘cloud computing’.”
In a submission to MEITY, SLFC.in (a non-profit legal services group that focuses on technology related issues) said that data localisation is likely to hurt the GDP. “Many developing nations look towards India as a role model for creating their own laws and frameworks,” SFLC.in stated. “The perceived benefits of storing data locally, i.e. generating new jobs, may potentially be offset by an associated increase in the opportunity cost for Indian entrepreneurs that wish to expand their businesses to other countries, only to be faced with data localization costs in those countries.”
Cook also echoed this, and when asked if nationalism was seen as a key reason for such laws, he said it was a part of the rationale.
“I think with all data localization, there is an element of nationalism without a doubt. I get it. I understand why,” said Cook. “It’s the new oil, effectively, and it in itself, the data processing industry is worth billions to the Indian economy. And it makes sense to put some governance or control around that.”
“That said, data protection laws are now becoming the weapon of choice in governments in geopolitical situations… what it effectively does is pushes your borders out,” he added. “If you have an extra-territorial data protection law, like the European General Data Protection Regulation, in effect, you’re globalizing your country’s political agenda in some cases.”
“In summary, it may well protect the individual data, but you have to look at what is the message behind it. Generally speaking, external view of data localization is negative, it is seen as a tool that is used by more oppressive regimes,” Cook said.
He also added that the impact on industry of excessive localisation requirements would be negative. “In my personal opinion, this is not the opinion of the VFS, in my personal opinion I don’t think India should localize the data, I think it will force Indian companies to use Indian-based resources,” Cook said. “Okay that on the surface may seem good, but those resources have to compete with the likes of Amazon, Google, all of the other big cloud based provider and compete on cost as well as service, and depending on the reports you read, the cost to the industry, of localizing data, will be quite high. So my view is that it’s not good for the Indian economy to localize data.”
Privacy by design
Cook again stressed that whatever decision the government took, the company would work to meet the requirements. At the same time, he outlined some of the ways in which VFS works to minimise the risk of compliance issues.
We reduce our exposure by minimising the amount of data, and the amount of time we hold that data.
“Within the organization we adopt a very much proactive approach between data protection and privacy,” he explained. “So, for example, we will use privacy by design, privacy by default techniques for any of our newer services or products or technology that we are planning or building to roll out.”
“As soon as we get the business design requirements, how we can minimize the data that is used,” Cook said. “A classic example here is if we’re trying to ascertain somebody’s age, the most common way of doing that is to ask for the date of birth. We can simplify that reduce the amount of data we have by simply saying, ‘how old are you?’ So it’s a very subtle difference, but it means we desensitise the data we hold.”
VFS does handle a huge amount of highly sensitive personal data. Cook said that the company uses automated systems to purge data as soon as it receives delivery reports from the local missions where the information is supposed to go; a similar process is also followed for paper forms—they’re sent to the mission with no copies being made, he said.
“We reduce our exposure by minimising the amount of data, and the amount of time we hold that data,” Cook said.